On Mar 13, 2015, at 10:06 PM, Tapani Tarvainen <[log in to unmask]> wrote: > Please add my name as well. > > -- > Tapani Tarvainen > > On Fri, Mar 13, 2015 at 02:54:52PM -0400, Nicolas Adam ([log in to unmask]) wrote: > >> Please add my name also. Good work. >> >> Nicolas Adam >> >> On 13/03/2015 2:11 PM, Kathy Kleiman wrote: >>> >>> >>> Dear All, >>> >>> Attached please find an important set of comments. They are to the >>> Whois Accuracy Pilot Study Report – by a group of researchers at >>> the University of Chicago called NORC. Buried in this report turns >>> out to be a many issues important to us in the Whois domain name >>> registration databases – including the question of postal >>> addresses (should we be validating and publishing the physical >>> addresses of political dissident groups, religious minorities, >>> girls’ schools in areas where many do not like girls education?Is >>> there a danger to be evaluated *before* we undertake this new >>> policy?) >>> >>> Identity Validation is a very open question as well, yet NORC >>> seems ready to start work in this area. I have written a set of >>> questions that say STOP – and let’s consider the policy >>> implications of these acts before we develop plans to put them >>> into effect. The comments are below (with a full copy attached). >>> >>> *They are due tonight!If you can sign on, please do. Please let me >>> know your name and/or organization and/or country.* >>> >>> ** >>> >>> Great tx to Stephanie Perrin for editing! Here are some thoughts >>> of members on our Policy Committee: >>> >>> -Kathy’s drafted, what I believe to be, an excellent comment in >>> response. – Amr Elsadr >>> >>> -Great job Kathy!! I support this document. -- Stephanie Perrin >>> >>> -Feel free to add my name as endorsing the document – Ed Morris >>> >>> Best and tx!! >>> Kathy (Kleiman) >>> >>> * >>> WHOIS Accuracy Pilot Study Report* >>> >>> Burying Extremely Divisive Policy Questions in a Technical >>> Implementation Report Written by an ICANN Contractor is Improper >>> and, in this Case, Dangerous >>> >>> >>> These are comments written in response to the WHOIS Accuracy Pilot >>> Study Report. Buried in this Report – which purports to be an >>> implementation report of an ICANN Contractor (NORC/University of >>> Chicago) -- are some of the most controversial and unsettled >>> issues in ICANN policy discussions and history. These issues are >>> the subject of deep and bitter divides over many years of ICANN >>> work, the subject of interest across the world, and the focus of a >>> series of explosive comments in Singaporewhen the ICANN Community >>> began to realize what was happening. >>> >>> >>> It is inappropriate in the extreme, for ICANN policy issues to be >>> buried in a ICANN Contractor’s implementation report, and even >>> further, deep in its Appendix B,/Next Steps for the Development of >>> the WHOIS Accuracy Report System (ARS). /This follows pages of >>> study “methods and approach” language and sample design which are >>> obscure even to those who follow Whois policy issues on a regular >>> basis.We submit that after the many years of heated controversy >>> over this topic, it is disingenuous at the very least to allow >>> this to happen policy debate to continue its development in this >>> manner. >>> >>> We are deeply concerned that ICANN Staff has not flagged this >>> Report, or this Comment Proceeding, for what it appears to be – a >>> process to seek permission from the ICANN Community for the: >>> >>> a)*wholesale checking of the physical addresses of online speakers >>> across the world (whether using domain names for political speech, >>> personal speech, or religious, ethnic or sexual minority >>> expression)*thus creating an unprecedented inextricable link >>> between a speaker and her physical location, and >>> >>> b)*the**radical new concept of Identity Validation for each and >>> every domain name Registrant to the ICANN Community, *a concept >>> with inconceivable implications for political, ethnic and >>> religious minorities worldwide, as well as entrepreneurs, emerging >>> organizations and those operating today without identities who >>> seek to create them. >>> >>> We respectfully add the issues below to this debate. >>> >>> *I.**ICANN has never been given a mandate for Address Checking on >>> a Massive Scale* >>> >>> Although the Contractor’s Report seems to suggest that the ICANN >>> Community has approved the massive checking of postal addresses in >>> the existing gTLD Whois databases, that is not the case. >>> >>> >>> A.The Whois Review Team Final Report set the standard of >>> “contactability” -- reaching the domain name registrant with >>> questions and concerns – not absolute accuracy of all data in the >>> whois >>> >>> The Current NORC Study (2014) and its accompanying ICANN Staff >>> Summary accompanying this NORC’s Pilot Report misrepresent the >>> WHOIS Policy Review Team Final Report and its Recommendations. The >>> goal of the Whois Review Team was “Contactibility” and >>> “Reachability” of the Registrant. To this end WHOIS Policy Review >>> Team Final Report looked “holistically” at the Whois record and >>> did not seek the accuracy of each and every element of a >>> Registrant’s Whois record. >>> >>> >>> Specifically, the NORC Report of 2009/2010 (an earlier report >>> called the NORC Data Accuracy Study) created five categories for >>> ranking the data quality of a Whois record: *Full Failure* >>> (overwhelmingly inaccurate); *Substantial Failure* (most data >>> inaccurate); *Limited Failure* (data to some degree present and >>> considered useful); *Minimal Failure* (may benefit from additional >>> information, but data provided is accurate) and *No Failure *(data >>> complete and accurate). >>> >>> */ >>> The Whois Review Team called for ICANN to significantly reduce the >>> number of “Full Failure” and “Substantial Failure” Whois Records >>> --- Avoidance of “No Failure” was not a goal at all./*As shared >>> many times in meetings of the Whois Review Team and members of the >>> ICANN Community, including the GAC, what the WHOIS Review Team >>> recommended was that Whois information be sufficiently available >>> and accurate for the Registrant to be reached –for legitimate >>> technical, administrative and other questions: [Recommendation] >>> “*6. ICANN shouldtakeappropriatemeasurestoreduce thenumberofWHOIS >>> registrationsthatfallintotheaccuracygroupsSubstantial Failureand >>> Full Failure(asdefinedbytheNORCDataAccuracyStudy,2009/10)by50%within12months >>> andby50%againoverthefollowing12months.*” >>> >>> >>> Thus, for the Whois Review Team, “No Failure” (full accuracy of >>> all fields) was */not the goal/*;“contactability” and >>> “reachability” of Registrants was. >>> >>> >>> B. 2013 Registrar Accreditation Agreement >>> >>> >>> The WHOIS Review Team Final Report noted that efforts were already >>> underway to improve accuracy and contactibility of Registrants in >>> the then-pending “direct negotiations with Registrars on revisions >>> to the RAA.” These negotiations resulted in the 2013 RAA which >>> furthered the goal of reaching Registrants through verified phone >>> numbers and email addresses: >>> >>> 1.f : “Verify: >>> >>> i.the email address of the Registered Name Holder (and, if >>> different, the Account Holder) by sending an email requiring an >>> affirmative response through a tool-based authentication method >>> such as providing a unique code that must be returned in a manner >>> designated by the Registrar, or >>> >>> ii.the telephone number of the Registered Name Holder (and, if >>> different, the Account Holder) by either (A) calling or sending an >>> SMS to the Registered Name Holder's telephone number providing a >>> unique code that must be returned in a manner designated by the >>> Registrar, or (B) calling the Registered Name Holder's telephone >>> number and requiring the Registered Name Holder to provide a >>> unique code that was sent to the Registered Name Holder via web, >>> email or postal mail. >>> >>> As with the Final Report of the Whois Review Team, the goal of the >>> 2013 RAA was “contactability” and “reachability” of the domain >>> name Registrant for technical or administrative questions by third >>> parties. >>> >>> C.Where Did the “No Failure” Standard Come From for NORC – the >>> Validation and Verification of Each and Every Whois Element >>> Without Policy Processes or Assessments of the Risks and Harms? >>> >>> Consistent with the Whois Review Team Final Report and the 2013 >>> RAA, we can understand the NORC methodology and approach to >>> checking email addresses and telephone numbers – but postal >>> address validation?Where is the underlying GNSO Policy driving >>> this direction to NORC from ICANN Staff? >>> >>> */Where is the assessment of the risks and benefits of updating >>> the physical addresses of hundreds of millions of political, >>> personal, religious, ethnic and sexual speakers – including >>> dissidents, minorities and those discriminated against by the laws >>> and customs of various regions?/*Where is NORC evaluating the >>> wholesale and massive verification of postal address in the >>> existing gTLD WHOIS databases without such an assessment?How did >>> ICANN Staff come to direct it? >>> >>> >>> The NORC Contractor seems to have jumped from the logical – >>> checking email and phone – to checking physical addresses. But >>> this leap from an open and undecided policy question to a mere >>> implementation issue should be disturbing to everyone in the ICANN >>> Community. What we know from history and the most tragic of recent >>> events is that speech and physical location are a dangerous >>> combination. >>> >>> >>> When individuals armed with automatic rifles wish to express their >>> disagreement with the legal speech of a satirical magazine, they >>> find the location in Parisand kill writers, publishers and >>> cartoonists. When they want to express contempt for those >>> practicing another religion, they bring their guns to kosher >>> grocery stores in Parisand synagogues in Copenhagen. Tracking down >>> and beheading Christian minorities is a horror of daily life in >>> some parts of the world. >>> >>> >>> The UN Declaration of Human Rights, adopted in 1948, states: >>> >>> * Everyone has the right to freedom of opinion and expression; this >>> right includes freedom to hold opinions without interference and >>> to seek, receive and impart information and ideas through any >>> media and regardless of frontiers. >>> >>> >>> It does not say that everyone must put their address on that >>> speech. Where, as here, the Internet has become the major path of >>> communication for that speech, the requirement of a physical >>> address for every speaker may well violate the requirement of the >>> right to speak and the protection for that expression. >>> >>> >>> Further, the validation of postal addresses represents a major >>> change of policy – one not mandated or requested by the Whois >>> Review Team, the 2013 RAA or by any Policy-Development Team we >>> know of. >>> >>> Who has evaluated the impact and dangers of wholesale adoption of >>> postal address validation of the long-existing gTLD Whois >>> databases– especially in a world that has changed dramatically in >>> the last few years – where entire governments have risen and >>> fallen, where formerly free countries and regions are enslaved by >>> terrorist organizations and a new set of dictators? While >>> proxy/privacy registrations are available, */they are a costly >>> luxury for many and completely unknown to others/*. >>> >>> >>> The mandatory validation of the massive number of postal addresses >>> in the gTLD Whois database – as appears to be the policy proposal >>> buried between methodology and sample sizes in the Contractor’s >>> report -- will result in the dangerous, harmful, even >>> life-threatening exposure of those using their domain names for >>> nothing more than communicating their ideas, concerns, political >>> hopes, and religious meetings via private streams of domain name >>> communications, such as on listservs and email addresses, and more >>> public resources including websites and blogs. >>> >>> >>> No policy we know has ever directed ICANN Staff to instruct a >>> Contractor to engage in massive Postal Address Validation – and no >>> policy development process we know has studied, weighed, debated >>> or valued the enormous impact to speech and expression of going >>> back over 25+ years of domain names registrations to suddenly >>> “correct” the postal address and thereby expose battered women’s >>> shelters, women’s schools in Pakistan, pro-democracy groups, >>> family planning groups and LBGQT locations worldwide. >>> >>> >>> If this is the policy we in ICANN choose to adopt in the future >>> (as we certainly have NOT adopted it already), then it will >>> require enormous amounts of preparation, notice and warning to >>> gTLD domain name >>> registrants on a global scale. Absent that, we know (without doubt >>> or hyperbole) that ICANN will have blood on its hands. >>> >>> Overall, ICANN’s Contractor NORC seems to have jumped into >>> policy-making, not mere implementation. >>> >>> * >>> II. ****Identity Validation – Really? * >>> >>> >>> Buried deep in Appendix B, of the Contractor’s Report, behind >>> “syntactic accuracy” and “operational accuracy” is the explosive >>> issue of “exploring accuracy from an identity perspective” (page >>> 45). >>> >>> At no time has ICANN ever held a Policy Development Processes on >>> Identity Validation. Accordingly, where does this guidance from >>> ICANN to its Contractor to explore identity validation >>> implementation come from?For those who attended the public Whois >>> meeting in LA, this issue certainly was not flagged in the >>> discussion; for those who attended the public meeting in >>> Singapore, this issue was introduced and IMMEDIATELY FLAGGED as >>> intensely controversial and divisive. >>> >>> >>> Identity validation of those engaged in freedom of expression, >>> publishing and political discussion is a deeply controversial >>> prospect – and one with heartfelt objection and opposition >>> grounded in history and law. The United States, for example, >>> sought to be free of Englandin part because of the mandatory >>> licensing of its printing presses – and the arrest of all who >>> published objections to actions of the English crown. Pamphlets >>> issued without names and addresses are not just a cultural right >>> in the US, but a constitutional one./McIntyre vs. >>> //Ohio//Elections Commission, 514 //U.S.//334 (US Supreme Court, >>> 1995). / >>> >>> >>> A.The GAC asked for a weighing of the risks and benefits >>> >>> We note that the GAC has not issued policy in this area. According >>> to the “Brief Overview” provided by ICANN as introduction to this >>> Contractor Report and this public comment period, the GAC “asked >>> for an assessment of the feasibility, costs and benefits of >>> conducting identity validation as part of the development of the >>> ARS.” >>> >>> >>> Nowhere in this report do we see any assessment of the costs, >>> delays, risks and harms that might be incurred by gTLD >>> Registrants, Registrars and Registries worldwide if identity >>> validation were adopted. Nowhere do we even see an analysis of how >>> identity validation takes places, what happens when a minority >>> seeks to register, or when a speaker must disclose and show her >>> identification as the cost of signing up for a domain name >>> highlighting family planning, women rights, or women’s education >>> in parts of the world not as conducive to these fundamental rights >>> and basic principles. Must she go through her father for this too? >>> >>> >>> B.ICANN has promised a policy making process. >>> >>> In his response to the GAC on this issue, Dr. Crocker noted concerns: >>> >>> The costs of operating the Accuracy Reporting System are largely dependent >>> >>> upon the number of WHOIS records to be examined, as well as the level of >>> >>> validation (syntactic, operational, or identity). For example, the initial >>> >>> responses to the ICANN RFP reveal that identity validation >>> services are both >>> >>> costly and difficult to administer on a global basis. */There may >>> also be data/* >>> >>> */protection and privacy issues of concern to the community when >>> conducting/* >>> >>> */extensive identity validation on WHOIS records./*Hence, the costs of >>> >>> completing the development of Phase 3 will be determined based on >>> >>> engagement with the community to identify the appropriate level of >>> identity >>> >>> validation for ICANN to conduct, as well as the costs associated with >>> >>> performing identity validation on a global scale. (https://www.icann.org/en/system/files/correspondence/crocker-to-dryden-02sep14-en.pdf, >>> emphasis added.) >>> >>> >>> As always, policy development must proceed implementation. We call >>> on ICANN to take this discussion out of the recesses of a >>> Contractor report, and into the light of the policy development >>> process. >>> >>> * >>> III**. Wide Outreach Needed* >>> >>> One thing the Whois Review Team did note in its Final Review is >>> the need for clear and concerted outreach on issues that impact >>> the Whois: “We found great interest in the WHOIS policy among a >>> number of groups that do not traditionally participate in ICANN’s >>> more technical proceedings. They include the law enforcement >>> community, Data Protection Commissioners, and the privacy >>> community more generally.”The Whois Review Team’s recommendation >>> specifically call for active and concerted outreach to these >>> communities of its issue: >>> >>> */Recommendation 3 - Outreach /* >>> >>> ICANN should ensure that WHOIS policy issues are accompanied by >>> cross-community outreach, including outreach to the communities >>> outside of ICANN with a specific interest in the issues, and an >>> ongoing program for consumer awareness. >>> >>> >>> That has clearly not happened here – when so much of substance is >>> buried so deeply in the back of a report. When will ICANN be >>> undertaking clear, robust global Outreach on these important >>> freedom of expression and privacy issues and implications? >>> >>> * >>> IV.**Finally, let’s Add Policy Staff and Freedom of Expression and >>> Data Protection Expertise* >>> >>> We ask that an ICANN Staff deeply steeped in data protection and >>> freedom of expression laws and rights be brought on to work on the >>> development of these address and identity issues. We understand >>> that ICANN feels previous backgrounds of its staffers do not limit >>> their activities, but the perception and reality of this issue >>> would be considered much more balanced if the ICANN Staffers of >>> the project hailed from an array of backgrounds and had >>> represented multiple sides of this issue in their prior lives. >>> >>> * >>> V.**Conclusion* >>> >>> We can’t bury wholesale physical address checking and the new >>> concept of identity validation in the back of a Contractor Report. >>> These are NOT policies examined or endorsed by the whole of the >>> ICANN or even the GNSO communities, nor policies evaluated yet by >>> the whole of the ICANN Community. The risks and benefits must be >>> assessed before the implementation is planned. >>> >>> >>> Signed, >>> >>> >>> MEMBERS OF THE NONCOMMERCIALS STAKEHOLDERS GROUP >>> [name, and/or organization, and/or country] >>> >>